Beat the Bots Jay Coley 

©2017 AKAMAI | FASTER FORWARDTM Agenda • Introduction • Attack Surface Analysis • Credential Abuse – What is it? • Risk and Cost • Attack Analysis • Detection and Mitigation • Botmanager Premier Demonstration 

Introduction 

©2017 AKAMAI | FASTER FORWARDTM 2016 │ Bot Manager 1998 │ Akamai founded 2003 │ Prolexic founded 2015 │ Client Reputation 2015 │ Managed WAF 2014 │ >321 Gbps DDoS 2014 │ Prolexic acquired 2014 │ KRS 2013 │ CSI 2011 │ >69 Mpps DDoS 2011 │ Kona Site Defender 2009 │ First cloud WAF 2009 │ Korea DDoS attacks 2008 │ Largest DDoS >80G 2007 │ Largest DDoS >50G 2004 │ Largest DDoS <10G 2003 │ Prolexic founded 2003 │ Site Shield introduced Secure web systems for OVER 19 YEARS 2016 │ IoT Botnets 2016 │ Largest DDoS >630G 2016 │ Credential Abuse 2017│ Bot Manager Premier 2017│ WireX 2017│ API Protection 2018│ Largest DDoS >1.35 

©2017 AKAMAI | FASTER FORWARDTM Grow revenue opportunities with fast, personalized web experiences and manage complexity from peak demand, mobile devices and data collection. Over 250,000 servers Deployed in more than 3,500 locations and 1,600 networks in 128 countries A cloud platform with INTERNET SCALE ©2016 AKAMAI | FASTER FORWARDTM 

©2017 AKAMAI | FASTER FORWARDTM ©2016 AKAMAI | FASTER FORWARDTM 8.7 Tbps 13.0 Tbps 15.4 Tbps 26.0 Tbps 33.6 Tbps 41.0 Tbps 2010 2011 2012 2013 2014 2015 2016 A cloud platform that SCALES FOR YOU > 60.0Tbps 2011 2012 2013 2014 2015 2016 2017 

©2017 AKAMAI | FASTER FORWARDTM Single data center API Business initiatives increase ATTACK SURFACE API Distributed footprint Cloud provider Hosted applications Applications Multiple data centers Remote access API API 

©2017 AKAMAI | FASTER FORWARDTM API API Partner with Akamai SECURITY STRATEGY Infrastructure – Denial of service – Malware prevention 

©2017 AKAMAI | FASTER FORWARDTM API API Partner with Akamai SECURITY STRATEGY Access – Enterprise access management 

©2017 AKAMAI | FASTER FORWARDTM Partner with Akamai SECURITY STRATEGY API API Application – Denial of service – Web application firewall – Bot management – DNS 

Credential Abuse :: What is it? 

©2017 AKAMAI | FASTER FORWARDTM Account Sign-up Login ??? Tell me more Tell me more Tell me more ? Comment / Form spam ??? Gift card / Loyalty account Username Password LOGIN Endpoints where clients submit (POST) Unique Information The Target :: Transactional Endpoints 

©2017 AKAMAI | FASTER FORWARDTM Transactional Endpoints- Two Classes of Bots 1. Scraping Bots 2. Transactional Bots Example1 : Price Scraping (Good or Bad) Example2 : Content Scraping (Good or Bad) Example3 : Google Web Crawler (Good) 

©2017 AKAMAI | FASTER FORWARDTM Transactional Endpoints- Two Types 1. Scraping Bots 2. Transactional Bots Example 1 : Login Attack :: Credential Abuse (Bad) Example 2 : Fake Account Signup (Bad) Example 3 : Concert Ticket Grabbers (Bad) 

©2017 AKAMAI | FASTER FORWARDTM BUY CREDENTIALS FRAUDSTER VERIFY CREDENTIALS BOTNET Username Password LOGIN Username Password LOGIN Username Password LOGIN LOG IN CUSTOMER SITE Shopping Accounts Data FINANCIAL GAIN END USER ASSETS CREDENTIAL ABUSE ACCOUNT TAKEOVER Leaked credentials Abusing Credentials 

©2017 AKAMAI | FASTER FORWARDTM SSH TUNNEL 1 SSH TUNNEL 2 SSH TUNNEL n . . . . Login Login Login Login Attacker Vulnerable IoT Device Target Web Server Proxy Tier: Full HTTP(S) Proxy Source: https://blogs.akamai.com/2016/10/when-things-attack.html Typical Botnet - Architecture 

Risk and Cost 

©2017 AKAMAI | FASTER FORWARDTM Top external attack vectors 11% 18% 20% 22% 28% 34% 37% 37% 42% Exploitation of lost/stolen asset Mobile malware DNS Strategic web compromise… DDoS Web application (SQL injection,… User interaction (phishing,… Use of stolen credentials (logins,… Software vulnerability (software… Source: The State of Network Security: 2016-2017, Forrester, January 2017 Exploitation of lost/stolen asset Mobile malware DNS Strategic web compromise… DDoS Web application (SQL injection,… User interaction (phishing,… Use of stolen credentials (logins,… Software vulnerability (software… BUSINESS RISK 

©2017 AKAMAI | FASTER FORWARDTM Credential Abuse Numbers Monthly Attacks Number of Account Targeted Total Cost :: $546,000 to $54,000,000 per year 

©2017 AKAMAI | FASTER FORWARDTM CA Abuse :: One Week Industry IPs Participating Login Requests % of Total Requests Gaming 7,712,894 1,358,045,044 61.30% Hotels & Resorts 122,026 232,309,946 10.49% Cards & Payments 477,507 148,304,255 6.69% Department Stores 326,151 104,748,065 4.73% Commerce Portal 66,321 60,199,822 2.72% Banking 349,474 55,356,808 2.50% Airline 86,346 41,004,594 1.85% Cosmetics 82,808 38,197,524 1.72% Consumer Software (B2C) 224,707 28,202,339 1.27% Social Media 127,396 26,557,605 1.20% Enterprise Software (B2B) 21,290 25,383,158 1.15% Consumer Electronics 50,984 25,264,381 1.14% Apparel & Footwear 66,414 19,692,260 0.89% Online Travel Agents 102,555 8,935,366 0.40% Federal 3,403 7,454,257 0.34% 

©2017 AKAMAI | FASTER FORWARDTM Per Attacking IP Credential Stuffing Request Rate • Majority of IPs performing credential stuffing make less than 1 request per minute • Average is 28 requests per hour • Maximum request rate observed from a single IP during the sampled period - 625,000 requests per hour (173 login requests per seconds) Rate Controls are only effective against the rare bots that fall outside typical human request rate thresholds 

©2017 AKAMAI | FASTER FORWARDTM Success Rate 

©2017 AKAMAI | FASTER FORWARDTM Consequences Total Cost • $546,000 to $54,000,000 • GDPR violation 

©2017 AKAMAI | FASTER FORWARDTM Who is responsible? • Dispersed Accountability • No single function can address every aspect. 

Threat Landscape 

©2017 AKAMAI | FASTER FORWARDTM • Customer Background • Global brand. • Luxury department store, based in London. • Founded 18XX. • High net worth client base. 

©2017 AKAMAI | FASTER FORWARDTM • CA event • 30 day POC. • Started 14th September 2017. • Credential abuse attack with 24 hours. • Major attack during POC. 15th October 2017 12pm > 5pm 150,025k requests from botnet PEAK : 2pm 75246k bots 1333 separate IP addresses 

©2017 AKAMAI | FASTER FORWARDTM • CA event • 30 day POC. • Started 14th September 2017. • Credential abuse attack with 24 hours. • Major attack during POC. 15th October 2017 12pm > 5pm 150,025k requests from botnet PEAK : 2pm 75246k bots 1333 separate IP addresses Large number of compromised accounts 

©2017 AKAMAI | FASTER FORWARDTM • Event effects • Late Friday evening. • Low resources. • Not detected by WAF. • Not triggering rate limits. • Manually adding IP’s. 

©2017 AKAMAI | FASTER FORWARDTM • CA attack profile Continued attacks throughout the weekend. Detection evasion attempts (eg,rate controls). 

©2017 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Credential Abuse – Single Attack 2 Online Banking Attack :: Biometric Detection 

©2017 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Credential Abuse – Single Attack 3 Online Hotel Attack :: Biometric Detection 

Detection / Mitigation 

©2017 AKAMAI | FASTER FORWARDTM Bots are complicated Simple Bots Sophisticated Bots Script on single machine Distributed IPs Low Request Rate Randomized User Agent Browser Impersonation Session Replay Full Cookie Support Partial/Full JavaScript Support Fingerprint Spoofing Recorded Human Behavior 

©2017 AKAMAI | FASTER FORWARDTM Botmanager Technology IP Rate Limiting Network Header Analysis Browser Property Analysis Akamai exploits ”what makes us human”. Neuro-muscular interaction is much harder for machine scripts to replicate. Traditional Methods : Less Effective against Credential Abuse. 

©2017 AKAMAI | FASTER FORWARDTM Avoid data theft and downtime by extending the security perimeter outside the data-center and protect from increasing frequency, scale and sophistication of web attacks. Bot Manager Premier Integration End User Akamai JS 1 Merchant Web/ Mobile Server Akamai Edge Customer Post 2 

©2017 AKAMAI | FASTER FORWARDTM Integration • No changes to application, publishing or web/app servers • All js insertion is done by Akamai • js callouts are captured by Akamai and sent for processing 

©2017 AKAMAI | FASTER FORWARDTM Integration • js data 

©2017 AKAMAI | FASTER FORWARDTM Demonstration bot-manager-demo.akamai.com 

©2017 AKAMAI | FASTER FORWARDTM Summary and Recommendations • Credential Stuffing/ATO Attacks are at elevated levels within Financial and Retail Services • Monitor for increase in failed logins o Credential Stuffing Attacks are often mistaken for DDoS • Monitor Call Center for increases in account lockouts • Information Sharing, inclusive of verticals outside Financial Services, appears to be useful. • Consider Biometric detection techniques for more sophisticated attackers 

Thank You!